76256551

project – 05.06.2002

Originally written .

  • Recompiled kernel modules on achriesgill so NAT would work.
  • Over the weekend I had edited the honeynet project’s default firewalling script with the ips for my network. Not sure if the rate limiting will be appropriate or not. Also might want to edit it further to restrict access to certain hosts. I’ll mess with that later once I get the IDS installed.
  • Fired up the firewall script on achriesgill and it worked like a charm. NAT works, so I can get to my honeypots from the outside, and logging works as well. Here are some example logs:


    May 6 11:53:22 achriesgill kernel: INBOUND: IN=eth0 OUT=tap1 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=84 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28418 SEQ=0

    May 6 11:53:23 achriesgill kernel: INBOUND: IN=eth0 OUT=tap1 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=84 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28418 SEQ=256

    May 6 11:53:40 achriesgill kernel: INBOUND: IN=eth0 OUT=tap1 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=44894 DF PROTO=TCP SPT=1377 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

    May 6 11:53:42 achriesgill kernel: INBOUND: IN=eth0 OUT=tap1 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=32784 DF PROTO=TCP SPT=1378 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

    May 6 11:56:00 achriesgill kernel: INBOUND: IN=eth0 OUT=tap1 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1976 DF PROTO=TCP SPT=1379 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

    May 6 11:56:27 achriesgill kernel: INBOUND: IN=eth0 OUT=tap1 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=26913 DF PROTO=TCP SPT=1380 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

  • need to find a good log analyzer for pulling the firewall info out of the syslog logs.
  • downloaded the honeynet project’s sample snort.conf file from http://project.honeynet.org/papers/honeynet/snort.conf to peruse and modify.
  • the config file was pretty simple given that we want to log everything. just disabled all logging and alert mechanisms except for the tcpdump-style binary file.
  • modified my scripts to use the TextReplacer class rather than have the config file generation hard-coded in.

ring

Originally written 05.06.2002.

watched what was probably one of the scariest horror movies i’ve ever seen. it was this subtitled japanese film titled “ring” and it was awesome. no gore, just an eerie, unsettling quality throughout the whole film, and some good twists and shocks to drive the suspense home. the basic premise of the movie is that some teenagers find a video that, when viewed, causes the viewer to die within 7 days. a journalist investigating the deaths watches the video, and must track down the dark secret of the video before it’s too late.

the thing that really makes a good horror movie is that it plays on cultural themes, perhaps stirring up some of our latent fears. the movie has the typical mysticism that one can expect from many japanese offerings, but the idea that technology is the medium though which evil is propagated seems to, at least in a small way, reflect some underlying uneasiness of the teched-out nature of modern japanese culture.